PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
...and I get a false positive or a true negative or whatever. Echoing $_POST just spits out "array". What am I doing wrong?
*Edit* I always find stuff after I post though I'm still a bit baffled, HttpMessage::getRequestMethod. How can I echo that out? Here is an example I've tried...
Here is a better question for me: what words would best find what I was looking for in Google? The better I know how to research on my own the fewer questions I have to ask.
It sent the referer url. Or (the other way round) anything the client sends in the referer header you can find in _SERVER['HTTP_REFERER']. If the client chooses to send Referer: Mary had a little lamb then there's nothing you can do about it. There's no header defined for the method used to retrieve the referer url and standard clients will not send this kind of information. Therefore you cannot do what you want with php.
If the client sends Mary had a little lamb for their referer they're probably too drugged up to worry about not viewing my site. Seriously though people who mess with the normal settings of their computer and browser for "privacy" while doing regular surfing need to learn what constitutes a breech of privacy and to realize that the only true threat to their privacy is their potential action to type their name or other personally identifiable information to a website.
And in this case the "mary had a little lamb" thing was not meant for security resons but to illustrate that the referer information is something the client has to send (willingly) with the http request. It may send the url, but it does not send the method used to retrieve the doc.
Even in the rare instances of identified click-print identities they remain just that, click-print identities. The only way previous non-POST click-print identities could be identified without access to ISP records would be for the surfer to submit identifiable information. Until then user = X but we still don't know who X is.
By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.
So long as your script doesn't break or die because someone doesn't supply you with referral information, it's perfectly fine to check, but if it breaks functionality, that's not very nice, no matter how you play it.
JAB Creations wrote:By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.
Are you concerned about man-in-the-middle attacks or faulty server setups (allowing http where https should be necessary)?
Bad-guy could send the referer you want and for ssl-or-not take a look at